22:40: Does nmap sucks UDP?
Continuing my previous post about nmap, I need to tell that nmap lucks good support for UDP. Most UDP services will do not respond to malformed or 0-length udp packets. Here is helps unicornscan which has good database of payloads. Sorrely it does not contain all TOP 10 upd ports from nmap's author "Scanning Internet", but anyway helps us. Alternatively you can utilize different utilites: ike-scan, nbtscan.
unicornscan -r5 -mU -I network/24:53,123,137,500
will find much more than
nmap -sU -p 53,123,137,500
It is possible to do use your own nmap-service-probes file as well, and write your own probe packets. (Use the --datadir option.) But I have not checked it yet. Default database of nmap probes lacks isakmp. Though it successfully finds DNS:
nmap -p 53 host.ua -P0 -sUV
PORT STATE SERVICE VERSION
53/udp open domain ISC Bind 9.X
Using amap was unsuccessful to identify ISAKMP, DNS - success.
amap -u host.ua 53
root@localhost:~/soft/framework-3.1# amap -u matrix.ua 53
amap v5.2 (www.thc.org/thc-amap) started at 2008-09-07 12:40:03 - MAPPING mode
Protocol on xxxxx:53/udp matches dns-djb
Protocol on xxxx:53/udp matches dns
Protocol on xxxx:53/udp matches dns-ms
Protocol on xxxx:53/udp matches dns-bind9
Unidentified ports: none.
amap v5.2 finished at 2008-xxx 12:40
Using metasploit scanner/discovery/sweep_udp was unsuccessfull to identify ISAKMP, DNS- success.
./msfconsole
use scanner/discovery/sweep_udp
set RHOSTS net/24
run
[*] Discovered DNS on ::ffffxxxxx.xxxx.xxxx (000000000100c00c00020003000000000002c00
c)
[*] Auxiliary module execution completed